Case insensitive passwords
-
No reason for alarm... your a programmer... did you have a CS background? The size of the alphabet alone does not make the password safe or not. You can just come up with your own encoding for the password you want and as long as the string is sufficiently long, your covered. camelCasePassword --> camelucaseupassword :suss: Edit: I bet an individual encoding would be harder to break using known hashes... think... if everyone has their own encodings... then the passwords become much more random (in the eyes of the attacker) and harder to break.
But it should make it safer. So if I generate a password 14 characters long than the password is 62 bits if it's case insensitive or 81 bits if it's case sensitive. The bank in question limits the length of the password to 14 characters. (It's 29 and 36 bits for a six character password.) The site is a little better than this, because it does allow a handful of special characters. Where am I wrong? Edit: by the way I used the Keepass password generator to give me quick and dirty relative bit strength for a sample password
-
Would anyone else feel uncomfortable if their bank, a major bank, used case insensitive passwords?
Nope. Heck, until a couple of years ago, my bank still used a 4-digit PIN for online banking. Any letters is a big improvement! :-D
Will Rogers never met me.
-
But it should make it safer. So if I generate a password 14 characters long than the password is 62 bits if it's case insensitive or 81 bits if it's case sensitive. The bank in question limits the length of the password to 14 characters. (It's 29 and 36 bits for a six character password.) The site is a little better than this, because it does allow a handful of special characters. Where am I wrong? Edit: by the way I used the Keepass password generator to give me quick and dirty relative bit strength for a sample password
-
Would anyone else feel uncomfortable if their bank, a major bank, used case insensitive passwords?
-
Would anyone else feel uncomfortable if their bank, a major bank, used case insensitive passwords?
yep
If your actions inspire others to dream more, learn more, do more and become more, you are a leader.-John Q. Adams
You must accept one of two basic premises: Either we are alone in the universe, or we are not alone in the universe. And either way, the implications are staggering.-Wernher von Braun
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.-Albert Einstein -
Would anyone else feel uncomfortable if their bank, a major bank, used case insensitive passwords?
Wait a minute... how would you know?
-
How about banks that only allow a max of 8 characters :-)
Regards, Nish
My technology blog: voidnish.wordpress.com
Nish Sivakumar wrote:
How about banks that only allow a max of 8 characters :)
It depends if they are using rather large values of 8 or not.
Michael Martin Australia "I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible." - Mr.Prakash One Fine Saturday. 24/04/2004
-
Nish Sivakumar wrote:
How about banks that only allow a max of 8 characters :)
It depends if they are using rather large values of 8 or not.
Michael Martin Australia "I controlled my laughter and simple said "No,I am very busy,so I can't write any code for you". The moment they heard this all the smiling face turned into a sad looking face and one of them farted. So I had to leave the place as soon as possible." - Mr.Prakash One Fine Saturday. 24/04/2004
Website written in FORTRAN?
Bob Dole
The internet is a great way to get on the net.
:doh: 2.0.82.7292 SP6a
-
Would anyone else feel uncomfortable if their bank, a major bank, used case insensitive passwords?
My bank is the exact opposite. The password AND the username are case sensitive. And they don't allow any special characters, just letters and numbers.
Bob Dole
The internet is a great way to get on the net.
:doh: 2.0.82.7292 SP6a
-
Would anyone else feel uncomfortable if their bank, a major bank, used case insensitive passwords?
Absolutely I would feel uncomfortable. But not for the reason that some people seem to be imagining. It's because it makes me think that they're storing my password in plaintext. Basically, I can think of two ways that my password would be case insensitive. a) is deliberate - they uppercase (or lowercase) it before hashing it. It seems pointless and silly to do this, but it causes no great loss of security. b) is accidental - they're storing my password in plaintext, and SQL string comparisons are case insensitive by default. The tendency to believe b) is what makes me uncomfortable.